Mark as Indicator
Case Details
Severity
Queue
Owner
Assign to Me
Vertical
ThreatCategory*
SOPField
Status
closed
Escalated
False
OnHold
False
USB Timer Low (ended)
Risk SLA (ended)
Notes (2)
user
User
OUI Inventec(Chongqing) Corporation belongs to the docking station not the actual device. Device is not connected, closing as TP-B
user
User
192.168.1.2 dhcpd[25781]: DHCPOFFER on 10.11.12.14 to 84:3a:5b:ab:cd:ef (David-s-S10) via eth2 relay 10.11.12.13 lease-duration 120 offered-duration 3600 uid 01:84:3a:5b:gh:ij:kl
OUI: 84:3A:5B Inventec(Chongqing) Corporation nslookup: 10.11.12.13--> sitecodeABC.com site code: ABC
CISCO ISE: connection status: not connected endpoint profile: unknown identity group assignment: unknown
Work Plan (0)
There are no tasks that require your attention.
Investigation Data
CIM Alert Data
Field
Value
savedsearch_description
$"detectionrequest": "ISSDETECT-5575"$ Convert RogueDevice ESA rule to Splunk | MITRE - TA0001/T1200 $"netwitnessrulename": "GSOC_RogueDevice"$ $"netwitnesscutoffdate": "08/xx/2023"$
dest_mac
84:3a:5b:ab:cd:ef
relay
10.11.12.13
rule_description
GSOC_RogueDevice for David-s-S10
signature
DHCPOFFER
dest
10.11.12.14
tag
modaction_result
action
added
dest_nt_host
David-s-S10
Summary
USB_Infoblox_RogueDevice
Quick Actions
Escalate to CSIRT
Escalation Notes
N/A
Transfer to Insider Threat
Transfer Notes
N/A
Link Incidents
Close As Duplicate
Transfer to Data Security
Extra Stuff
Occurred
Last Updated
Created
Type
Playbook
Close Reason*
Close Notes
OUI Inventec(Chongqing) Corporation belongs to the docking station not the actual device. Device is not connected, closing as TP-B
Resolution SLA Missed Justification*
SLA Not Breached
Follow Up
Follow Up Notes
N/A
acceptDuration
Acceptance SLA Met
Time to Assignment (ended)
Linked Incident Count - view list on indicators & related data tab
0